Bug 151180 - Missing HTML escaping/XSS: <script>alert('hello world')</script>
Missing HTML escaping/XSS: <script>alert('hello world')</script>
Status: CLOSED CURRENTRELEASE
Product: Bugzilla
Classification: Community
Component: Bugzilla General (Show other bugs)
2.18
All Linux
medium Severity high (vote)
: ---
: ---
Assigned To: David Lawrence
David Lawrence
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-03-15 14:00 EST by Ville Skyttä
Modified: 2007-04-18 13:20 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-03-15 14:12:14 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ville Skyttä 2005-03-15 14:00:23 EST
There seems to be a missing HTML escaping / possible cross site scripting
problem with the beta Bugzilla summaries, as probably reproduced by the summary
of this bug.  After modifying a bug, the <h1> in the "Bug XXX processed: ..."
response page contains the summary passed through as-is.
Comment 1 Ville Skyttä 2005-03-15 14:02:26 EST
Yep, it is reproduced by the summary in this bug.  Testing non-beta
Bugzilla with this comment...
Comment 2 Ville Skyttä 2005-03-15 14:03:15 EST
Nope, only the beta is affected.
Comment 3 David Lawrence 2005-03-15 14:11:47 EST
thanks for the head's up. testing change to see if this is fixed with this comment.
Comment 4 David Lawrence 2005-03-15 14:12:14 EST
Seems to be fixed now.

Note You need to log in before you can comment on or make changes to this bug.